User:Mjo5091/sandbox/Security controls (Information Security)
This is not a Wikipedia article: It is an individual user's work-in-progress page, and may be incomplete and/or unreliable. For guidance on developing this draft, see Wikipedia:So you made a userspace draft. Find sources: Google (books · news · scholar · free images · WP refs) · FENS · JSTOR · TWL |
Information security controls are safeguards of different types and functions which protect the confidentiality, integrity, and availability of data (also known as the CIA triad) [1].
Information security control types
[edit]There are three main types if Information security controls:
- Physical controls are material implementations of security measures, e.g., fences, sensors, and re-issuing new access cards.
- Technical or logical controls use computing capabilities to implement protective security measures, e.g., intrusion prevention or detection systems, and endpoint detection and response (EDR).
- Administrative or procedural controls are management controls like policies, procedures, and standards by which technical or physical controls are governed, e.g., data classification, security audits, and business continuity planning (BCP).
Information security control functions
[edit]There are three main information security control functions and a couple of peripheral functions.
Three main information security control functions:
- Preventive controls are implemented prior to a threat event occurrence with the goal of preventing it, e.g., locks, firewalls, and access control lists (ACLs).
- Detective controls are designed to discover threats after they occur, e.g., CCTV, honeypots, and audit logs.
- Corrective controls lessen or reverse the impact of an incident, e.g., uninterruptible power supply (UPS), vulnerability patching, and incident response plans.
Additional control functions:
- Compensatory or alternative controls are leveraged when a required security measure (by law or regulation) is not able to be implemented due to business or financial constraints[2], e.g., in place of encryption which may be costly to implement and increase transaction time, multiple encryption technologies across an organization may suffice in providing the same level of security such as e-mail encryption, database security, and DLP (Data-Leakage Prevention).
- Deterrent controls reduce the likelihood of an incident based on its presence, e.g., security cameras, roving security guards, or regular security patrols around a building perimeter.
Information security control types and functions matrix & examples
[edit]Below is a table partially listing some examples of security controls and which type & function they perform, in accordance with the main types and functions of preceding sections.
See Also
[edit]References
[edit]- ^ "The 3 Types Of Security Controls (Expert Explains)". purplesec.us. Retrieved 2021-03-07.
- ^ "compensating control (alternative control)". whatis.techtarget.com. Retrieved 2021-03-07.
External Links
[edit]Ranking information security controls by using fuzzy analytic hierarchy process
A multi-criteria evaluation of information security controls using boolean features
Reducing cybersecurity risk with minimal resources
Breaking Down SOC 2 and ISO 27001: Is One Really Better?